On 8/24/10 12:51 PM, Tom Eastep wrote: > On 8/24/10 12:03 PM, Hill, John wrote: >> I have been on the side now for a long, long time. After all of these >> years, last month I rebuilt my firewall. Today I hit a snag. >> >> >> >> I have 2 ipset lists Blacklistnets and Blacklisthosts. I have a portmap, >> BLOCKPORTS from 1 to 1024. I have port 25, 110 and 143 added to >> BLOCKPORTS and bound to both lists. >> >> All works in 4.4.11.2. I was just trying to keep the versions up. >> >> >> >> Now when I install 4.4.12 and start it, it is says that ipset match and >> iprange must be in the kernel and IPtables. Version 4.4.11.2 works fine. >> >> >> >> I found the instructions for creating a capabilities file, I have never >> purposefully done that before? I did just create one with 4.4.11.2 and >> it lists both of these requirements as yes. > > And 4.4.12 does not? > >> >> >> >> Do I need to create this in 4.4.12 before I run it? If so is the >> /etc/shorewall directory ok? >> >> >> >> Debian lenny Kernel 2.6.26-2amd64 Iptables 1.4.2 ipset 2.3.3. Ipset for >> Debian kernel was hard to come by, and it is old. > > I run ipsets fine with shorewall 4.4.12 and the 2.6.26 Debian kernel > (although I use xtables-addons-1.24 to install ipsets and the netfilter > module that goes with it). > > Please try the following from a root shell prompt: > > iptables -N foo > iptables -A foo -m set --set Blacklistnets src -j ACCEPT > iptables -A foo -m set --match-set Blacklistnets src -j ACCEPT > > What is the result?
I just noticed something in the 4.4.12 code; please try the attached patch:
patch /usr/share/shorewall/Shorewall/Config.pm < ipset.diff
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Config.pm
b/Shorewall/Perl/Shorewall/Config.pm
index 77b6d12..4bf9ee3 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -2412,7 +2412,7 @@ sub IPSet_Match() {
qt1( "$iptables -D $sillyname -m set --match-set $sillyname src
-j ACCEPT" );
$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
} else {
- have_capability 'OLD_IPSET_MATCH';
+ $result = have_capability 'OLD_IPSET_MATCH';
}
qt( "$ipset -X $sillyname" );
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
